Is there a way to configure a group rule so it only fires for active Okta users? Currently, if I disable a user's Okta access, the group rules still fire for the user and they maintain their group memberships. This means I need to manually remove them from the groups, which creates exceptions in the group rules and is not very clean. Suggestions?
What types of group rules is this affecting? There is currently no way to automatically remove deactivated users from the groups they were a member of. I would be interesting in hearing about some use cases where this would be beneficial.
Of course you are welcome to submit this to us as a feature request using the ‘Post Idea’ button in the link below if you haven't done so already.
As an example, we have an API call configured that pulls all group membership to a particular Okta group to determine who needs access on a separate on-prem system. We recently encountered an issue in which an employee was terminated, but they were still members of the okta group, which meant their access to the on-prem system remained. We got lucky in that case because our operations team ran a user audit soon after and I was able to manually remove, but it could have been a very severe security issue. I have already created an idea for this issue (https://support.okta.com/help/ideas/viewIdea.apexp?id=087F0000000BF7C)